Cyberhaven – Rethink DLP Roundtable

Highlights from “Why It’s Time to Rethink DLP” Virtual Event

I recently had the chance to sit down with a rare collection of security and IT leaders to discuss the state of data protection today, and most importantly, how things need to change going forward. The group included Mark Settle, seven-time CIO at companies such as Okta, Yaron Levi, CISO at Dolby, and John Bottorff, Senior Manager of Cybertools at Western Digital. Frankly, it was a lot of fun to learn from their decades of experience spent building data protection programs and working with DLP tools in real world deployments — and the many pitfalls they can encounter along the way. It ended up being an incredibly insightful and wide-ranging discussion, and I encourage you to check out the full recording of Why It’s Time to Rethink DLP.

However, in case you don’t have the time, here are a few of the big themes that came out of the discussion.

Put Security Practice Before Product

All the members of the panel hammered on a common theme — data protection requires a practice and not just a product. John Bottorff put it succinctly:

There’s often the expectation that you’ll bring in this tool and it will magically protect your data, but there’s never a program in place beforehand to actually define what is the data you are trying to protect…there has to be an understanding of what data are you really trying to protect and from what.

Often organizations will implement a Data Loss Prevention product naturally assuming that it will…prevent data loss. However, despite the name, DLP tools are not bandaids that magically protect data. Many DLP products will only work for certain types of data, may require lots of effort to configure and maintain, and can derail the overall data protection program when users are unexpectedly blocked.

Organizations need to look across the organization to understand what their crown jewels are from a data perspective and how that data can be protected. This could include a wide variety of intellectual property, customer PII, internal communications, and more.  Ultimately, the tools should be dictated by the needs of the business instead of the data security program being defined by the limitations of the tools. 

Keep It Private But Share it With Everybody

One of my favorite lines from the discussion came from Yaron Levi when he said, “You know in health care we used to have the joke that HIPAA is all about keep it private but share it with everybody.” The point was that you naturally need to keep patient data safe, but lots of people need access to that data such as care providers, insurance companies, hospitals, etc. 

This is an issue we increasingly see across all industries. Often our most valuable data is the data that needs to be consumed the most. In fact, data is often valuable because it is shared. Teams may need to collaborate on a document, access and edit plans for an upcoming product launch, or share and modify source code.

Most important data can’t simply be locked away in a safe. It needs to be used. This means organizations need to be prepared for all the ways that data will and potentially could be shared. What are the approved channels for sharing that data? What other unauthorized ways could users potentially share that data, and would the security team be able to see and prevent it? How many copies of the data are out there on user machines or cloud apps? These are some of the fundamental questions that organizations need to be prepared to answer as they approach data protection in a more holistic way.

Data Doesn’t Have To Be Lost To Do Damage

Another consistent theme of the discussion centered on the notion that data protection has to be about more than just data loss. In particular, Mark Settle makes some really compelling arguments that the main focus needs to be on preventing data misuse as opposed to data loss. This really came out in two important statements: 

This observation is certainly not original to me, but you know our data loss prevention tools are really grown up with this idea of defending security perimeters, and it’s kind of a fundamentally broken concept.

You can find ways to shoot yourself in the foot through misusing data… or using data in ways that are unethical or never intended.

Clearly this directly deals with how organizations will safeguard their customers PII and ultimately meet the corporate and regulatory privacy responsibilities. But it also goes beyond PII as well. There are more ways than ever for data to sprawl within the confines of an enterprise whether on end-user laptops working remotely or in cloud-based applications. As data sprawls, it is more likely to be misused or exposed to users and systems that were never intended to access that data. For example, it doesn’t take long for unreleased corporate results, testing data, or acquisition plans to have serious adverse effects on an organization. This means that data protection must, like other security disciplines, relinquish its dependence on the old perimeter model and instead take a full view of data across its lifecycle. 

These are just some of the highpoints of the discussion, and I definitely recommend checking out the full recording. Many of these issues are likewise directly tied to why we built Cyberhaven in the first place. Instead of just focusing on securing a few types of data at traditional perimeter boundaries, we want to ensure organizations have visibility of any or all their data, no matter where it is. If you’d like to learn more about how we can help meet your data protection goals, we would love to hear from you at info@cyberhaven.com.